Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.
A crafted AGPF config causes a divide-by-zero in agpf_get_serial.
The complete ASan output:
WiRouterKeyRec --config crash.agpf -s Alice-48230959 WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta http://www.salvatorefresta.net ASAN:DEADLYSIGNAL ================================================================= ==27225==ERROR: AddressSanitizer: FPE on unknown address 0x0000005019fc (pc 0x0000005019fc bp 0x7fffe1f6fbe0 sp 0x7fffe1f6fa00 T0) #0 0x5019fb in agpf_get_serial /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:445:20 #1 0x5019fb in agpf_get_config /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:355 #2 0x4f510f in wr_get_keys /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/wirouterkeyrec.c:480:28 #3 0x4f2238 in main /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/wirouterkeyrec.c:307:18 #4 0x7fdbc7f6161f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x418c28 in getenv (/usr/bin/WiRouterKeyRec+0x418c28) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:445:20 in agpf_get_serial ==27225==ABORTING
Affected version:
1.1.2
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-08-05: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink: